• Tidak ada hasil yang ditemukan

Hazard and Operability Study

Dalam dokumen Process Systems Risk Management (Halaman 151-166)

IDENTIFYING HAZARDS AND OPERATIONAL PROBLEMS

4.4 FUNDAMENTAL HAZARD IDENTIFICATION METHODS .1 Concept Hazard Analysis

4.4.3 Hazard and Operability Study

136 CHAPTER 4 IDENTIFYING HAZARDS AND OPERATIONAL PROBLEMS

It is not uncommon that the team leader may not have all the requirements in one person. Any gap can be supplemented by the skills of a team member, or specialist input on a needs basis.

4.4.2.4 Advantages of FMEA

The major advantages of the FMEA technique are:

• ease of construction at component level

• quick identification of critical failures

• ability to identify criticality of failures for setting priorities in risk management

• provides input to other hazard evaluation tools such as fault tree analysis and event tree analysis

• ability to apply for any system (flow and non-flow processes, batch operation, materials handling, sequential operation, man-machine interactions, mechanical, electrical, pneumatic and hydraulic systems)

• ability to incorporate human error failure modes to determine the level of automatic response required. This is highly useful in the design of control systems and layered protection systems.

• Does not require large amount of resources 4.4.2.5 Limitations of FMEA

There are limitations on the range of applicability of FMEA that one should be aware of.

• FMEA addresses only one component at a time, and may not reveal the complex and hidden interactions in the subsystem and between subsystems in the system. In some cases, this coupling can be identified by extending the question 'What is the effect of failure on the system? What other system/component is affected?'

• It does not provide sufficient detail for quantification of system consequences.

• FMEA often focuses more on the failure modes rather than the causes of the failure modes. The main reason why the causes of failures are often not analysed in depth in the FMEA is because, for failures to which a criticality is assigned, the causes would be explored in detail outside the FMEA framework, as part of an in-depth assessment.

1 3 7 The study is generally undertaken before the construction of new plant or equipment, or before making major modifications to existing plant, in order to facilitate recognition of a large number of hazards or potential operating problems which can be avoided by redesign or adoption of suitable operating procedures.

The earlier a potential problem is found, the less expensive it is to rectify the problem, and the more likely it is that the solution will in fact be implemented.

The study is undertaken by a multi-disciplinary group, and facilitated by an experienced facilitator.

4.4.3.1 HAZOP philosophy

The underlying philosophy of HAZOP is to identify potential deviations from intended operation of a system or subsystem, the consequences of the deviations, and develop design/procedural requirements to prevent the adverse consequences of the deviation from occurring.

In the process industry, this philosophy translates into a systematic examination of the design or operation of an installation, as represented by the layout, general arrangement and P&I diagrams with all control and instrumentation and sequence of operations shown. Deviations from the design value of key process parameters (physical and thermodynamic) are studied, using guidewords to stimulate the examination evaluation, and assisted by design documents and operations manuals.

Since the pioneering work of Lawley (1974), and the early work of the Chemical Industry Association in the UK (1977), the HAZOP technique has continued to enjoy extensive coverage in the process safety literature (Kletz 1999, Lees 2001, Knowlton 1992, Tweeddale 2003, Crawley and Tyler 2000, 2003).

4.4.3.2 HAZOP methodology

The team formally reviews each part on the P&I diagram, selecting a process pipeline or equipment item, one at a time, using a set of deviation guidewords to consider what could happen to the process, equipment and personnel in an abnormal situation and how that situation could arise.

It is essential to make the guidewords as specific as possible and appropriate to the type of process or operation studied, in order to make the HAZOP technique most effective. For instance, slightly different guidewords are required for batch processing, compared with continuous processing. The approach combines the FMEA and the HAZOP techniques and applies to batch processing (Collins 1995, Mushtaq and Chung 2000).

Typical guidewords for fluid systems and non-fluid systems are listed in Tables 4-7 and 4-8 respectively.

138 CHAPTER 4 IDENTIFYING HAZARDS AND OPERATIONAL PROBLEMS

^ H TABLE 4-7 HAZOP GUIDEWORDS FOR FLUID SYSTEMS

^ _ TABLE 4-8 HAZOP GUIDEWORDS FOR NON-FLUID SYSTEMS

The HAZOP procedure is shown in Figure 4-10.

For continuous and batch processes For each line/equipment or subsystem:

Guideword Deviations

Changes in quantity - Flow High flow/Low flow/No flow/Reverse flow Changes in quantity - Level High level/Low level/No level

Changes in physical condition - High pressure/Low pressure/surge (hammer effect) Pressure

Changes in physical condition - High temperature/Low temperature Temperature

Changes in physical condition - High viscosity/Low viscosity Viscosity

Change in composition Contaminants (gaseous, liquid and solid)

Concentration changes, reactions, multi-phase flow Foaming, scum formation

Monitoring and control Instruments, Control systems (interlocks, redundancies, location, effectiveness, adequacy, function testing etc.), sampling

Additional guidewords for batch reaction systems For each step in the operational sequence:

Timing Too late, too early, duration too short, duration too long, incorrect sequence

Reaction Too fast, too slow, incomplete More, less, incorrect charge Runaway

Incorrect recipe Catalyst Contaminants

Valve position Open, closed, modulating Agitation On, off, overspeed, underspeed

For non-fluid systems (solids, material handling) Guideword Deviations

Position Too high, too low, too far, misaligned, wrong position

Movement High speed, low speed, no movement, reverse movement, vibration, friction, slip, obstacles

Load High load, low load, high flow, low flow, loss of containment Energy (Electrical, pneumatic, hydraulic, steam, etc.) low energy, high

energy, energy failure

Timing Too late, too early, too short, too long, incorrect sequence Contamination Water, oil, dust, flammables, corrosives, incompatible materials Size Too large, too small, too long, too short, too wide, too narrow Process control Adequate, automatic versus manual, interlocks, limits, trips, critical

variable monitoring, location

Maintenance Isolation, access, cleaning/purging, inspection/testing.

139

FIGURE 4-10 HAZOP PROCEDURE SCHEMATIC

In what follows we outline the steps in a HAZOP study, along with special hints in making the HAZOP effective.

140 CHAPTER 4 IDENTIFYING HAZARDS AND OPERATIONAL PROBLEMS

1. Select a P&ID for review.

2. Conduct preliminary review.

Select a process line or a plant section (node) in the P&ID for review. The line/plant section may spread over more than one P&ID. Wherever possible, ensure that the line originates from an equipment (e.g. vessel, pump) and terminates at an equipment.

3. Select a guideword. The guideword can be a combination of a parameter and a deviation (e.g. Level Low), or a single guideword where the parameter and the deviation are already concatenated.

4. Identify possible causes of the deviation. If no causes can be identified, the deviation is deemed infeasible, and the study moves on to the next deviation. It is important to record all causes because different causes may have different consequences. Causes should only be grouped together when the team agrees the consequences are the same for each cause.

Ahmed and Khan (1992) outline a number of causes of deviations for operating parameters such as flow, level, temperature and pressure.

5. Identify the consequences of the deviations. It is important to identify delayed consequences as well as immediate, and consequences both within and external to the node under examination. It helps to consider the transients in the development of consequences, noting the time at which an alarm or an interlock may operate. This allows a realistic judgement on the likelihood and influence of operator intervention.

The effectiveness of the HAZOP depends on the extent to which the impact of the transients following the deviation is considered. For instance, the question to ask is: If the operator becomes aware of the deviation through a detection system, will there be incident escalation before the operator can take corrective action? If the answer to this is 'yes', then either an inherently safer design option or a safety instrumented layer of protection may need to be considered.

6. Identify the relevant safeguards and determine their adequacy. The team should identify the existing safeguards that control the risk arising from the identified deviation. The safeguards may help prevent the cause, reduce the consequences, or both. Both hardware such as alarms and interlocks, and administrative controls such as operating procedures/operator response to alarms should be considered.

The team then uses its experience and judgement to assess whether the specified safeguards are adequate to control the risk. In making this assessment, the team takes account of the likelihood of the event, the seriousness of the consequences, and the probability that one or more of the safeguards fail.

Some general guidelines are:

• Control systems and protection systems should be separated. That is, a component which is part of a control loop should not be used to carry out a protection function.

• If the consequences of a deviation are severe, generally a single protection system is inadequate. A layered system would be required.

7. Document the proceedings in a standard template. A sample is shown in Example 4-6 below.

1 4 1 8. Repeat steps 3 to 7 until all guidewords are exhausted, and then repeat the

whole procedure for other lines/plant sections.

9. When the P&IDs relating to a defined plant section are completed, conduct a HAZOP overview to identify global hazards.

Table 4-9 lists a set of guidewords for line by line review, and a set of overview guidewords.

TABLE 4-9 OVERVIEW GUIDEWORDS FOR HAZOP

It can be seen that most of the overview guidewords are focused towards hazard identification rather than operability, which is covered by the parametric deviation guidewords. Static electricity impacts are discussed by Pratt and Atharton (1995) and Astbury and Harper (2001), and Pavey (2004).

Guideword Issues

Hazardous materials Hazardous substances storage and handling (toxicity, handling procedures, precautions, exposure limits, exposure monitoring, escape routes, regulatory requirements, licensing), radioactive materials, pyrophoric substances

Electrical systems Hazardous area classification, electrical isolation, earthing, high voltage systems

Equipment integrity Materials of construction (vessels,

piping/valves/gaskets/pumps/seals, others), codes and standards Breakdown/Loss of Utilities and services (instrument air, plant air, nitrogen, cooling supply water, process water, demineralised water, steam, electricity, natural

gas, auxiliary fuel), Computer control, hydraulic system Commissioning and Commissioning (sequence, procedures)

start-up Start-up (first time start-up, routine start-up) Shutdown Planned, unplanned, emergency

Waste Effluent (gaseous, liquid, solid), treatment, disposal

System maintenance Preparation for inspection/maintenance (isolation, draining, purging, and inspection maintenance access, vessel entry, recommissioning)

Loss of containment Loss of containment (fugitive emissions, minor leaks, major leaks, hazards isolation, bunding or diking, etc.)

Occupational safety & Noise (sources, exposure limits, regulatory requirements, control health measures)

Safety equipment (personal protection, respirator, breathing apparatus, access, training, location of safety showers etc.) Fire protection Fire/explosion (detection systems, separation distances, blast

proofing, passive and active fire protection, access etc.) Quality Output and efficiency (reliability, conversion, product quality,

product testing)

Environmental impact Emissions (normal, abnormal), impact on air quality, water quality, soil contamination, marine environment

Sampling Materials, location, frequency, handling safety

Erosion/Corrosion Internal, external, corrosion underneath insulation, monitoring, prevention, protection

Static electricity Sources of static electricity, prevention buildup

Lifting Crane operations, impact, dropped load Collision Vehicle movements in plant, forklift operations Vibration Hieh vibration, monitorine

142 CHAPTER 4 IDENTIFYING HAZARDS AND OPERATIONAL PROBLEMS

4.4.3.3 How to make a HAZOP study effective?

The HAZOP study is considered the single most important safety study in a process plant's life. Things missed in a HAZOP or a HAZOP not performed, often come back to haunt in the form of incidents and near misses. A number of case studies have been cited (Ender and Laird 2003, Kletz 1994, Sanders and Spier 1996, Riezel 2002, Gustin 2002). The HAZOP report is also difficult to audit in terms of completeness, unless there have been blatant errors of omission, which are not expected of a competent team.

A workshop conducted by the IChemE Safety and Loss Prevention Group (Turner 1996) found the following:

• 71% said that an industry HAZOP standard for defining hazard study quality was necessary.

• 68% said that they would use a 'lessons learned' database as part of the HAZOP, if one was available.

• An audit trail of the HAZOP process was considered essential in the documentation.

• Computerised recording of HAZOP and follow-up of actions was very much preferred.

McKelvey (1988) has identified six problem areas for failure of a HAZOP.

a) Lack of experience (leader and/or team)

b) Failure to communicate (loss of organisational memory)

c) Management of shortcomings (key people availability, lack of continuity, lack of commitment)

d) Complacency and poor loss prevention practices ("we have operated this way for several years without incidents" syndrome)

e) Shortage of technical information (e.g. you cannot conduct an effective HAZOP of a reaction system without information on reaction kinetics and reactivity hazards)

f) The ultimate limitation: tired human beings with brains stretched and loss of concentration.

A number of hints are offered below in ensuring that the HAZOP process is effective, and reasonably complete. One can never state with absolute certainty that all hazards have been identified.

1. Ideally, select an experienced facilitator, with an understanding of the process in question, process design experience, familiarity with layers of protection assessment, and operational experience. Not all persons who have merely attended a training course as a HAZOP facilitator can actually lead a HAZOP effectively.

2. Select the correct and compact team composition. For new facilities, minimum full time presence of the process designer, project engineer, instruments/control system engineer, operations representative, and safety representative is necessary. Personnel from other disciplines and vendor

1 4 3 representatives may be called into the session on an as needed basis. For an existing facility, it is also necessary to have a maintenance representative, and experienced operator or plant supervisor. The HAZOP minutes secretary (scribe) must be a technical person, and be under the direct guidance of the facilitator.

3. Have the right support documentation. Minimum data requirements are:

design basis, process description, layout and general arrangement drawings, P&lDs, equipment register with design specifications, instruments register with alarm and trip settings, relief valve capacity and settings, instruments cause & effects diagrams, hazardous area classification drawings, manuals of vendor packages, and operations/maintenance manuals (for operating plants), hazardous properties of materials and information on reactivity hazards.

4. Prior to commencement of HAZOP sessions, conduct a search of accident databases (see Chapter 3 for a list of databases available) and compile a 'lessons learnt' dossier relevant to the process being examined. Its value has been stressed by Mannken (2001) and also recognised in the survey by IChemE (Turner 1996).

5. The leader should explain at the outset that there will be questions to stimulate the thinking, that the design and operating practices may be challenged, and that there is no need for a defensive response from the process design or operations representative. No incompetence on their part was implied, but the discussion would result in better understanding of the design and operation by all concerned.

6. If an issue is not resolved within 5-10 minutes of discussion, document an action for review outside the HAZOP session. If additional protection is required, record the intent. Do not design.

7. Make sure that the consequence of the deviation is pushed to the stage of operator response and examine the transients to determine if another layer of protection would be required. Once again, do not design.

8. Do not skip a guideword on the grounds of familiarity. Remember that HAZOP always has hidden surprises. Conversely, additional guidewords may be used, if found necessary, for a given situation.

9. In the early days of HAZOP, the documentation was by exception, meaning that if there is no hazard identified for a deviation, it was not recorded. In recent times, the importance of an audit trail has been recognised, especially when the HAZOP report becomes a document in evidence in legal proceedings. Therefore, make sure that all guidewords are documented, and in the case of no hazards, add a comment that 'no hazard identified' for the sake of completeness.

10. The general principles of group dynamics, managing a brainstorming team, having regular breaks to keep the brain cool apply. They are not elaborated here.

EXAMPLE 4-6 HAZOP METHOD ILLUSTRATED

A large petrochemical facility has an ammonia plant and other downstream plants that use the anhydrous ammonia as the intermediate for other products. One of the downstream plants is located 800m from the main ammonia storage spheres.

1 4 4 CHAPTER 4 IDENTIFYING HAZARDS AND OPERATIONAL PROBLEMS

An ammonia storage bullet at the downstream plant is used for receiving, storing and distributing ammonia. The day tank is fitted with a local level gauge, a level transmitter indicating the level at the central control room 800m away, with level alarm high, and an independent high high level alarm, to sound in the control room.

The transfer procedure is for the field operator to inform the control room operator, open a manual isolation valve to transfer ammonia to the day tank (the pump at the ammonia sphere is always on as ammonia is also supplied to other users on the site), watch the local level gauge, and close the valve when the desired level is reached. Should the high level alarm sound in the control room, the control room operator is to contact the field operator by radio and ask that the transfer be stopped.

A schematic of the P&I diagram is shown in Figure 4-11.

FIGURE 4-11 SCHEMATIC OF AMMONIA TRANSFER SYSTEM

The HAZOP documentation for the main transfer line is shown in Table 4-10.

Only a partial list is shown, illustrating the technique.

Entries 7 and 8 indicate that there is clearly a problem. There is no mechanism to resolve the conflict between local gauge indication and control room level indication. There is no clear operating instruction for the field operator that he cannot ignore a request from the control room, regardless of which instrument is faulty, as this is a fail safe action.

If we view this from a layer of protection analysis point of view, the existing procedure covers up to Level 3 (Chapter 3, Section 3.3). The action arising in Entry 8 is necessary because of the severity of the consequences, taking it to Layer 4 (safety instrumented system).

TABLE 4-10 HAZOP DOCUMENTATION FOR AMMONIA TRANSFER

HAZOP STUDY Project No:

Date:

P&ID No:

Node No:

Ammonia system upgrade System:

Present:

Line No:

Line description:

Ammonia transfer to day tank List attendees, Leader and Scribe

Transfer line from NH3 sphere to day tank

No.

1

2

3

Guideword High Flow

Low Flow

Low Flow

Causes Pump overspeed Changes in hydraulics with less flow to other users

Pump cavitation More draw off from other users

Leak from transfer line

Consequences Faster filling of day tank

Longer duration to fill day tank

Ammonia release to atmosphere, toxic impact

Safeguards Operator present during transfer

Level gauge watched continually

Operator present during transfer

Level gauge watched continually

Radio communication with control room

Underground line, protected from impact

Line corrosion protected Manual detection by personnel on site

Emergency response procedures

Action

Review the mechanical integrity program for transfer pipeline

Responsible

Engineering

Dalam dokumen Process Systems Risk Management (Halaman 151-166)
Unduh sekarang "Process Systems Risk M..."

Garis besar

Dokumen terkait